VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2023-53747

CVE-2023-53747

Description

In the Linux kernel, the following vulnerability has been resolved:

vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF

After a call to console_unlock() in vcs_write() the vc_data struct can be freed by vc_port_destruct(). Because of that, the struct vc_data pointer must be reloaded in the while loop in vcs_write() after console_lock() to avoid a UAF when vcs_size() is called.

Syzkaller reported a UAF in vcs_size().

BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119

Call Trace:

__asan_report_load4_noabort (mm/kasan/report_generic.c:380) vcs_size (drivers/tty/vt/vc_screen.c:215) vcs_write (drivers/tty/vt/vc_screen.c:664) vfs_write (fs/read_write.c:582 fs/read_write.c:564) ...

Allocated by task 1213: kmalloc_trace (mm/slab_common.c:1064) vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680 drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058) con_install (drivers/tty/vt/vt.c:3334) tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415 drivers/tty/tty_io.c:1392) tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128) chrdev_open (fs/char_dev.c:415) do_dentry_open (fs/open.c:921) vfs_open (fs/open.c:1052) ...

Freed by task 4116: kfree (mm/slab_common.c:1016) vc_port_destruct (drivers/tty/vt/vt.c:1044) tty_port_destructor (drivers/tty/tty_port.c:296) tty_port_put (drivers/tty/tty_port.c:312) vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) tty_ioctl (drivers/tty/tty_io.c:2778) ...

The buggy address belongs to the object at ffff8880beab8800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)

The buggy address belongs to the physical page: page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbeab8 head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Linux kernel's vcs_write() occurs when the vc_data pointer is not reloaded after console_unlock(), allowing local privilege escalation.

Vulnerability

In the Linux kernel's vc_screen driver, the vcs_write() function fails to reload the struct vc_data pointer after calling console_unlock(). This oversight leads to a use-after-free (UAF) vulnerability because console_unlock() can trigger vc_port_destruct(), which frees the vc_data structure. When the loop in vcs_write() subsequently calls vcs_size() with the stale pointer, it accesses freed memory, as reported by syzkaller and confirmed by KASAN [1][2].

Exploitation

An attacker with local access and the ability to write to /dev/vcs* devices can trigger the race condition. The attack requires no special privileges beyond write access to the virtual console screen devices. By carefully timing the write operation to coincide with a console unlock that frees the vc_data, the attacker can cause the kernel to read from a freed slab object [3].

Impact

Successful exploitation results in a use-after-free condition, which can lead to memory corruption, system crash (denial of service) or, potentially, local privilege escalation if the attacker can control the freed memory to redirect execution. The KASAN report shows a read of size 4 at a freed address, indicating the vulnerability is exploitable [1].

Mitigation

The fix is to reload the vc_data pointer after re-acquiring console_lock() in the vcs_write() loop. Patches have been applied to the Linux kernel stable branches, and users should update to a kernel containing the fix (e.g., commits a4e3c4c65ae8, 3338d0b9acde, e3d1adcad5cf) [1][2][3].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

8
934de9a9b659
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0deff6781573
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a4e3c4c65ae8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
11dddfbb7a4e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
e3d1adcad5b7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3338d0b9acde
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
1de42e7653d6
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
8fb9ea65c9d1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.